tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Neil Munro <>
Subject Re: Tomcat, JSP and LDAP
Date Sun, 18 Mar 2012 11:34:08 GMT
On Mar 16, 2012 7:22 PM, "Christopher Schultz" <>
> Hash: SHA1
> Neil,
> On 3/16/12 6:23 AM, Neil Munro wrote:
> > On 15 March 2012 18:24, Christopher Schultz <Realm
> > className="org.apache.catalina.realm.JNDIRealm"
> > connectionName="uid={0},ou=my company users,dc=mycompany,dc=com "
> > connectionPassword="userPassword"
> > connectionURL="ldap://my.ldap.server"
> > alternateURL="ldap://my.ldap.server" roleBase="ou=my company
> > users,dc=mycompany,dc=com" roleName="cn"
> > roleSearch="(uniqueMember={0})" userPattern="uid={0},ou=my company
> > users,dc=mycompany,dc=com" />
> >
> > I have added those changes, as for which connection mode I need, I
> > think bind would be ok for now just to check to see if I can
> > establish a connection, but looking at it I think if I will be
> > querying ldap for a user name and password then comparison mode is
> > what I need.
> That's kind of the first decision you have to make when using LDAP for
> authentication: what user makes the initial connection? From your
> later post, it's not clear how you are connecting to the LDAP server
> in order to fetch the valid user ids. Can you provide the setup
> information for your InitialDirContext (sanitized, of course)?
> > However with this configuration my whole app become inaccessible,
> > I imagine it's some form of protection or permissions thing, but in
> > my floundering around trying things, this is the only thing that
> > seems to have any effect on the whole app.
> I thought the whole app was supposed to be unavailable unless the user
> successfully logged-in. Do I have that wrong? A misconfigured JNDI
> realm *should* lock you out of the entire app because authentication
> always fails.
> >> Can you run any queries against the LDAP server outside of Tomcat
> >> that give you results that you might expect? For instance, can
> >> you do a search of the LDAP tree for a particular user? What does
> >> that query look like? When you do that search, are you using
> >> anonymous bind or are you using user bind? If user, which user?
> >> Some administrative user or the user whose credentials should be
> >> checked?
> >
> > I can connect with a tool called JXplorer, but I have not had any
> > luck from other applications, but that's due to inability to find
> > any up to date documentation on the libraries I was using.
> In JXplorer, are you able to run queries that look anything like those
> you are trying to use in your Realm configuration?
> Here is the most recent configuration you posted:
>  <Realm className="org.apache.catalina.realm.JNDIRealm"
>      connectionName="uid={0},ou=my company users,dc=mycompany,dc=com"
>      connectionPassword="userPassword"
>      connectionURL="ldap://"
>      alternateURL="ldap://"
>      roleBase="ou=my company users,dc=mycompany,dc=com"
>      roleName="cn"
>      roleSearch="(uniqueMember={0})"
>      userPattern="uid={0},ou=my company users,dc=mycompany,dc=com" />
> You said this "currently works": did you mean that was your current
> (non-working) setup, or that this setup actually works?
> I don't believe connectionName can be parameterized. I think that's
> intended to be used when using a "manager" user to connect to the LDAP
> server in order to perform comparison-mode authentication.
>      userPattern="uid={0},ou=my company users,dc=mycompany,dc=com"
> Does this actually match the DN pattern of your users? (It might help
> if you were to post the full LDIF record for a sample user. Same with
> a group record.)
>      roleSearch="(uniqueMember={0})"
> Using OpenLDAP's 'ldapsearch' command-line utility, I can search my
> own LDAP database for groups containing myself like this:
> $ ldapsearch -x 'uniqueMember:=uid=schultz,dc=mydomain,dc=mytld' cn
> Note that "-x" means "simple bind" -- that is, anonymous. Also note
> that I have to use "uniqueMember:=" instead of simply "uniqueMember="
> because the uniqueMember value contains = signs. I'm not sure if that
> will have any effect because I don't have a Java-based JNDI probe
> available to me at the moment.
> At this point, you are basically bumbling around in the dark. I highly
> recommend enabling debug logging for the JNDIRealm component (really
> the container's logger) by adding this into your conf/
> org.apache.catalina.realm.level=FINE
> It's going to generate a ton of output. Try only authenticating a
> single time, then shut down Tomcat and read the log file (catalina.out
> should contain it). Make sure you follow what is going on, and you can
> probably see where things start to go wrong: either some search string
> will look wrong, or it will make a decision based upon your
> configuration that you didn't anticipate, etc.
> If you can't figure it out, post as much of the log to the list as you
> can and we'll take a look.
> - -chris
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools -
> Comment: Using GnuPG with Mozilla -
> iEYEARECAAYFAk9jktYACgkQ9CaO5/Lv0PBsiwCeJ0jsXUamQkD/M9gs+XBQg6Y1
> 9RMAnAgaK0bQ7my2JjbrSlBFvu8xHCu/
> =vSDP
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

Ok first things first I shall use my user to make the initial connection, I
gather this is something that can't be done anonymously, later if I can I
will have admin create a connection user. So with that in mind I replaced
{0} with my user name and connectionPassword with my plain text password
and with that configured I can access the login page, but not actually
login, j_security_check redirects me to the failed login page. My initial
thought was that since users can be specified at any time I wanted an
anonymous bind connection to get the list of users and then switch to the
user entered but I couldn't get very far with that.

Yes you are right I wasn't being clear in my meaning, the whole app should
be protected unless a user has logged on.

Yes I can run uid=* to get a list of all users in both jxplorer and the jsp
used in page. So the querys do work else I would not be able to retrieve
any users.

Unfortunately I cant give you the dirContext until tomorrow when I get back
into the office.

As for moving my login and fail_login jsp to web-inf the pages could not be
located and a had a go working in the web.xml file pointing to a path
relative to /../web-inf/ or similar, I shall try again but I did try your
suggestion and will try again just to ensure I didn't simply make a typo.

You must forgive me if I have missed anything as I only have a phone
available to me at weekends but I shall reread and provide further
information tomorrow but I thought I should explain what I was trying to do
in case its impossible the way I understand it and I have been making
myself go in circles.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message